Shorewall users - Aug 2012 - Configuring traffic control with Shorewall 4.5.6.2 on CentOS 6.3

Hi,

I have just created a new linux firewall for home use with CentOS 6.3
x64 minimal install and the following:

Shorewall (2 interface)
Dansguardian
Squid

I also have DHCPd and BIND9 running on there.

It looks something like this http://i.imgur.com/t0LTi.png

I would like to implement a simple traffic control and I''ve thought of
two possible configs:

1) 10.0.0.50 (my PC) has guaranteed bandwidth of 1mbit. I also want to
limit total download bandwidth to a group of sites defined as video
sites (e.g. youtube.com, vimeo.com, etc) to 1mbit across the network.
I have spent quite a long time looking for examples on the internet
but haven''t found much to help me.

2) give video sites and file downloads low priority over normal web
browsing and DNS, instead of limiting them to 1mbit in 1).
http://www.ckollars.org/shaping.html  did inspire me to think of
something like this:

** high priority
DNS queries
webmail (sites gmail, hotmail)
mail ports IMAP POP3 SMTP
skype

** normal priority
normal web browsing

** low priority
bit torrent
video websites (youtube.com, vimeo.com, etc)
ftp and http downloading of large files

I''m really not sure whether I should be using Shorewall simple traffic
control or complex traffic control, and I''m not really sure how to
configure it. If someone could show me some examples or how I could do
it, I''d much appreciate it.

My config files
shorewall.conf http://pastebin.com/CqchttsF
interfaces http://pastebin.com/RCf7NzFP
zones http://pastebin.com/mr9hRpSG
policy http://pastebin.com/EBRfPV4g
rules http://pastebin.com/9mhcmYVV
masq http://pastebin.com/sRrKENb1
tcdevices http://pastebin.com/VrYA0024
tcinterfaces http://pastebin.com/dutZUmaR
tcpri http://pastebin.com/qddPSxxT


Blank config files:
tcrules
tcclasses
tcfilters
tos
tunnels
params


If you have any other comments on my config, I would appreciate those too!

Thanks,
Mark

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 08/19/2012 08:49 AM, Mark Allison wrote:
> Hi,
>
> I have just created a new linux firewall for home use with CentOS 6.3
> x64 minimal install and the following:
>
> Shorewall (2 interface)
> Dansguardian
> Squid
>
> I also have DHCPd and BIND9 running on there.
>
> It looks something like this http://i.imgur.com/t0LTi.png
>
> I would like to implement a simple traffic control and I''ve
thought of
> two possible configs:
>
> 1) 10.0.0.50 (my PC) has guaranteed bandwidth of 1mbit. I also want to
> limit total download bandwidth to a group of sites defined as video
> sites (e.g. youtube.com, vimeo.com, etc) to 1mbit across the network.
> I have spent quite a long time looking for examples on the internet
> but haven''t found much to help me.
>
> 2) give video sites and file downloads low priority over normal web
> browsing and DNS, instead of limiting them to 1mbit in 1).
> http://www.ckollars.org/shaping.html  did inspire me to think of
> something like this:
>
> ** high priority
> DNS queries
> webmail (sites gmail, hotmail)
> mail ports IMAP POP3 SMTP
> skype
>
> ** normal priority
> normal web browsing
>
> ** low priority
> bit torrent
> video websites (youtube.com, vimeo.com, etc)
> ftp and http downloading of large files
>
> I''m really not sure whether I should be using Shorewall simple
traffic
> control or complex traffic control, and I''m not really sure how to
> configure it. If someone could show me some examples or how I could do
> it, I''d much appreciate it.
Given that your requirements seem to focus on incoming traffic from 
particular domains, it will be difficult to meet your needs with 
Shorewall traffic shaping (simple or complex).

- Shorewall''s traffic shaping works at the network layer. So:

	o It doesn''t know anything about DNS names.
	o It can''t distinguish between smaller downloads and normal web
	  traffic.
	o It is only effective for controlling traffic sent through an
	  interface, not for traffic received through an interface. So
	  to regulate traffic from the net, you must either configure
	  an IFB or you need to do your traffic control as traffic is
	  sent out of your local interface.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Den 2012-08-21 00:47, Tom Eastep skrev:
>> Shorewall (2 interface)
>> Dansguardian
>> Squid
delay_pools

each pool have its own bandwidth limit, but its limited to only 
protocols that squid supports




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/